讨论的很热烈啊,我也没闲着呢,确实和防火墙配置有关。
我在一台笔记本上测试Ping -r时监控了防火墙日志,得到如下安全警告:
Deny IP from 172.20.9.56 to 180.166.1.65, IP options: “Record Route”
对于这个警告信息,Cisco的解释如下:
106012
Error Message %ASA-6-106012: Deny IP from IP_address to IP_address, IP options hex.
Explanation An IP packet was seen with IP options. Because IP options are considered a security risk, the packet was discarded.
Recommended Action Contact the remote host system administrator to determine the problem. Check the local site for loose source routing or strict source routing.
一个IP数据包被发现还有IP options(IP选项)。因为IP options被认为是一种安全风险,所以这个数据包被丢弃。
实际的意思就是Ping -r产生的数据包因为安全风险被防火墙阻断了,所以无法返回希望的结果。
另外,根据http://linux.die.net/man/8/ping中对PING参数的描述,见下文,大多数主机无视或丢弃这个选项(IP options)。这就是为什么PING -r到很多地址无结果返回的原因。
-R
Record route. Includes the RECORD_ROUTE option in the ECHO_REQUEST packet and displays the route buffer on returned packets. Note that the IP header is only large enough for nine such routes. Many hosts ignore or discard this option.
再看看微软对PING的参数-r定义:
-r Count : Specifies that the Record Route option in the IP header is used to record the path taken by the Echo Request message and corresponding Echo Reply message. Each hop in the path uses an entry in the Record Route option. If possible, specify a Count that is equal to or greater than the number of hops between the source and destination. The Count must be a minimum of 1 and a maximum of 9.
翻译:数据包包头(IP header)中的记录路由选项(Record Route option)被用来记录回应请求(Echo Request)消息和相关回应应答(Echo Replay)消息所经过的路径。
那么,这个过程用比较白话的解释应该是这样的:
我们在做PING -r测试时,这个PING测试产生的测试数据包会在包头里加入了一些额外的信息-路由记录选项(Record Route option),然而这个信息会被大多数这个数据包经过的路由器或防火墙因为安全的原因所丢弃或者无视,那么返回的测试结果中就不会包含我们需要知道的路由信息,更有甚者,因为测试数据包被丢弃而直接返回了相关的错误信息:请求超时(Request timed out.) |